Insider attacks have been hitting the headlines in recent years after a number of high profile breaches.
According to a report released by the Ponemon Institute in July 2016, both careless and malicious insiders are now the most likely root cause of the loss of knowledge assets.
The insider attacker can fit multiple profiles, from a rogue employee with a malicious motive to a staff member who serves as an inadvertent vassal i.e. workers who, in error, permit attackers to access company data.
Detecting insider threats is a tricky business but it can be as simple as enforcing employees to pay attention to cybersecurity policies and being able to distinguish the difference between abnormal and normal user activity.
Unfortunately, many organisations take a slightly immature approach to dealing with the insider threat.
Mature organisations realise that it takes more than technology to tackle the issue of weak links on the inside. While few would deny that insiders pose a data protection threat, much of the security focus is on three areas: architecture, identifying vulnerabilities and responding to attacks.
All are essential, however, there can be an over-reliance on policy and automated enforcement when it comes to protecting against insider threat. Organisations could, for example, define policies for least privilege and enforce the separation of duties and passwords to protect insider credentials.
The NSA had Snowden, Target had its HVAC contractor and even Sage recently fell victim to an employee maliciously using an internal login to gain unauthorised access to staff data at nearly 300 UK firms.
These examples clearly demonstrate the human chink in enterprise security armour. So, if the human element in business is today’s weakest security link , then how do organisations go about addressing this contentious issue?
Are driverless cars leading the charge?
People, the weakest link in the security chain, will always need to be involved in the business to some extent. The tech industry is realising this point around the limits of automation on a much wider scale when we consider driverless cars: vehicle manufacturers are stopping short of declaring fully-automated, self-driving cars, instead investing in technology which can relieve the driver of responsibility for piloting their vehicles.
For now, people must remain involved to a certain extent. In reality, the enterprise needs to learn a key lesson from the development of driverless cars if it is going to successfully mitigate insider threats.
However, the driverless car revolution has also recently hit a few speed bumps due to security concerns. Only this month Uber had to pull its autonomous car trial from the streets of San Francisco due to locals uploading videos of the cars running red lights and dangerously merging in to cycle lanes.
It appears that, just like humans, driverless cars are equally capable of error.
Similarly in business, the idea of throwing technology at security concerns – and eliminating the human weak link – is appealing, but the likelihood of that working successfully is no better than getting completely autonomous cars in the very near future.
The risk of over-reliance on automation
Unlike Google’s approach that goes so far as to eliminate a steering wheel in their opening gambit at this technology, more traditional manufacturers are stopping short of declaring fully-automated, self-driving cars.
Their approach is to augment safety, rather than permit drivers to occupy their time on something other than driving. Similar logic needs to apply in business. Fully removing the insider threat through automation is a risky venture.
What happens when a situation arises that automation simply cannot compute? Is that the time to hand control back to a distracted employee?
Expecting that policies coupled with incomplete automated enforcement will sufficiently mitigate the insider risk is a dangerous gamble. However, we can support IT with tools which make their job easier.
Today, one of the primary tools for enforcing policies related to least privilege and separation of duties is identity governance. It maps out who has access to what, identifies whether that access is within policy, and enforces that policy through automated deprovisioning of accounts.
People are still the problem
The key element of identity governance is the access certification process. On a regular basis (usually every 6-12 months), business managers are required to acknowledge whether their staff have an appropriate level of access to applications.
This is a helpful detective control for access privileges that have outlived their necessity. While this exercise is performed to meet a compliance need rather than an information security need, enforcing the principle of least privilege is an accepted mechanism for improving security posture.
Unfortunately, this approach relies heavily on those business managers taking the time to meticulously go through each certification, an unlikely expectation given today’s fast pace of business.
So we are back to people being the weak link, because business managers have better things to do than check yes or no for each of their employees against each of their access privileges.
They will rubber-stamp the certifications to meet the compliance requirement of reviewing access on a regular basis – but this does nothing to strengthen defences.
“Driverless” identity governance: the silver bullet?
The reality is that fully automated certifications replacing manual certifications any time soon is as unlikely as a driverless car imminently cruising the streets with no steering wheel.
However, there are enhancements that can be made to augment certifications with information that will reduce the insider threat.
The future approach needs to take into account two deficiencies and their respective solutions:
1. Business managers have limited bandwidth and attention for certifications
Identity governance must improve prioritisation of access certifications informed by risk.
If a business manager is only asked to do an in-depth analysis of a small number of high-risk entitlements, they are more likely to give the process their full attention.
2. Even perfect certifications cannot account for rogue administrators or privileges that have been stolen by outsiders
The 6-12 month certification mind-set must be changed.
Identity analytics can play a key role here. Monitoring how insiders use their access, and raising an alert if abnormal or high-risk behaviour is found to trigger an ad-hoc certification, can result in better control.
Reviewers can make an informed decision, supported by this information, to ensure certifications are reviewed more efficiently and have a greater impact on the business’ security posture.
Perhaps one day we will all be able to experience the convenience of driverless cars. For the immediate future, automation can be incrementally useful for discrete tasks such as parking.
Similarly, identity governance is a powerful tool to reduce the insider threat, but it needs to mature to the point where it is more responsive and more automated before the enterprise can rely on it completely.
Sourced by David Mount, director of security solutions consulting EMEA, Micro Focus